Field of Invention
The invention specified herein relates to the field of network steganography. Herein, the term network steganography is defined as using normal network communication to conceal data inside transmissions.
Description of Related Art
The follow is a tabulation of some United States and international patents that presently appear relevant:
Pat. No.Issue datePatenteeTitleU.S. 7,356,599Apr. 8, 2008Bastian Pochon,Method and Paolo ScottonApparatusfor DataNormalizationU.S. 8,527,779Sep. 3, 2013William EasttomMethod and Apparatusof PerformingDistributedSteganography of a Data MessageU.S. 7,509,675Mar. 24, 2009Jeffrey A. AaronNon-InvasiveMonitoring of theEffectiveness ofElectronic SecurityServicesJP 2011028703Feb. 10, 2011Morizumi TetsuyaSecurity SystemIncorporated in Search System
The follow is a tabulation of some United States and international patent applications that presently appear relevant:
patent application No.Pub. datePatenteeTitleUS 20140254797Sep. 11, 2014Agnieszka Method and PiotrowskaFilter for Erasing HiddenDataUS 20130019106Jan. 17, 2013Ronald Method and FischerApparatusfor DigitalSteganographyUS 20090013074Jan. 8, 2009William H. System and RiceMethodfor DistributedNetworkMonitoring forSteganographicMessagesCN 2016061742Apr. 28, 2016JianpingAutomatic WangProfilingRui ZhangFramework of Wen QiCross-VM Covert ChannelCapacity
The following is a reference list of non-patent literature with authoritative information related to the present invention:    Jankowski, B., Mazurczyk, W., & Szczypiorski, K. (2011). Introducing inter-protocol steganography. Telecommunication Systems, 52, 1101-1111. doi:10.1007/s11235-011-9616-z    Wendzel, S., Zander, S., Fechner, B., & Herdin, C. (2015). Pattern-based survey and categorization of network covert channel techniques. ACM Computing Surveys (CSUR), 47(3), 1-26. doi:10.1145/2684195    Zielinska, E., Mazurczyk, W., & Szczypiorski, K. (2014). Development trends in steganography. Communications of the ACM, 57(3), 86-95. doi:10.1145/2566590.2566610
In preparation for a description of the present invention, the following terms will be defined and/or contextualized. The term network will be used to describe a shared digital medium used by a sender and a receiver to exchange data. The term packet will be used herein to generically refer to any unit of a network transmission including but not limited to frames, segments, or datagrams. The term overt refers to legitimate network data. The term covert describes surreptitious network data. A covert channel shall herein refer to the manipulation of packets that causes or has the effect of any one of the following:                a) Communicating data via a network such that the method of transfer is unconventional by the standard of the protocol being used to transmit said data (e.g., IETF RFC 791 [IP], IETF RFC 768 [UDP], or IETF RFC 793 [TCP], etc.);        b) Communicating data via a network such that it is transferred concurrently with overt data to the extent that the surreptitious transmission would be precluded but for the presence of the overt data;        c) Communicating data via a network such that the transfer of said data would not be noticed by one skilled in the area of network communications;        d) Communicating data via a network such that one skilled in the area of covert channels would consider the exchange generally unorthodox or explicitly covert.        
The literature describes network communication consistent with the above characteristics as network steganography and a person skilled in that area as a network steganographer. The role of the network steganographer is distinct from the person who operates the invention described herein; thus, the entity using the invention in practice shall be referred to as the operator of the invention.
The output of a single steganographic method or a combination of methods shall be referred to herein as a steganogram. Herein, the singular term steganogram refers to an overt packet that has been altered or as a collective term describing a plurality of overt packets whose transmission method has been altered in order to manifest network steganographic communication. The process of embedding a covert message in an overt packet or altering the transmission of the overt packet to facilitate network steganographic communication shall be referred to herein as encoding. The reversal of that process which extracts the hidden message from the steganogram shall be referred to herein as decoding.
Any form of evaluation regarding the performance of a process, device, or algorithm in its ability to detect, prevent, correct, measure, alter the form of, alter the behavior of, characterize, or otherwise make judgments about steganograms shall be referred to herein as network steganographic assessment. The entity that is the subject of a network steganographic assessment, regardless of its specific configuration, shall herein be referred to as a test subject in the singular or test subjects in plural. A summative judgment as to how well or poorly a test subject performed during a network steganographic assessment shall be referred to herein as network steganographic effectiveness. Network steganographic assessments and the resulting judgments regarding network steganographic effectiveness can include but are not limited to the performance and reliability of the test subject during the assessment or the ability of the test subject to meet any other non-functional requirement of the operator with regard to network steganography.
Types of covert channels include methods that alter the protocol data unit (PDU) or header of a protocol to store a covert message or portion thereof. Such methods are referred to as storage channels. Another type of covert channel found in the related art is referred to as a timing channel. A timing channel is a method of covert communication that uses the deltas between packet times to encode data. A timing channel differs from a storage channel in that the former does not modify an overt packet to store covert data. The covert data is hidden from the network steganographer because a timing channel alters the normal transmission intervals of packets to manifest a covert channel. Parity channels use the state of a packet itself to encode data. For example, a packet with an odd checksum value could represent a 1 bit and a packet with an even checksum could represent a 0 bit. Sequence channels use the order of packets to encode covert data. For example, if numbered packets (e.g., packets enumerated using a TCP sequence number) have a predefined order of transmission, a deviation from the specified order could encode a 1 bit and conformance to the predefined order could represent a 0 bit.
Transmitting or receiving using a plurality of methods including but not limited to the aforementioned network steganographic methods to exchange a single covert message, portion of a covert message, or multiple covert messages shall be referred to herein as network steganographic integration. Evaluating the test subject using a plurality of methods is a critical feature of the invention because an entity wishing to develop defenses against network steganographic exfiltration would want such a defense to demonstrate its effectiveness against multiple steganographic exfiltration mechanisms. A defense that was effective against a single exfiltration method would still be vulnerable to a multitude of other methods. As such, the invention described herein enables an entity to optionally test a plurality of methods against a test subject. When using the invention described herein, the operator would select a group of network steganographic methods, evaluate the effectiveness of the test subject with regard to each of those methods, and continue until the test subject was evaluated against each method within the group. Network steganographic integration could also occur when the operator uses said group of methods to send a single message during the process of performing a network steganographic assessment. As such, any network steganographic assessment using a multi-method combination shall also be considered network steganographic integration.
The use of network steganographic integration manifested by the invention described herein is distinguished from the related art that uses intra-protocol and inter-protocol steganography referenced by Jankowski, Mazurczyk, and Szczypiorski (2011) by virtue of the fact that the current invention uses a plurality of steganographic methods in an evaluative context; whereas, the related art discusses the application of intra-protocol and inter-protocol methods without referring to an assessment of a test subject. Additionally, the intra-protocol and inter-protocol methods discussed by Jankowski et al. (2011) relate to exploitative use intended to lessen the probability of detection; whereas, the invention described herein relates to a broader set of concerns with regard to the performance of an entity by asserting its network steganographic effectiveness: which is not intended to enhance the covert nature of a multi-method attack. To the contrary, the invention described herein is intended to evaluate the ability of a test subject to counteract the surreptitious characteristics asserted by Jankowski et al. (2011).
The invention described herein is unique from the prior art by virtue of its focus on evaluating the network steganographic effectiveness related to the theft of data via exfiltration, its emphasis on the assessment of a monolithic test subject as opposed to an aggregated service, and its integrative features designed to expose the test subject to a wide variety of exfiltration algorithms. As such, the integrative and exfiltration-based approach of the present invention is distinct from the normalization countermeasures of Piotrowska (2014), the file block focus of Easttom (2013), the detective foci of Rice (2009) as well as Pochon and Scotton (2008), the inbound denatured position of Aaron (2009), and the preventative orientation of Fisher (2013).